Practice Areas

Community Health Systems, Inc. experienced a criminal external cyber-attack affecting about 4.5 million patients- What CHS did right and important take aways for hospitals

August 2014
Renee H. Martin

Community Health Systems, Inc.,(“CHS”)  a for-profit hospital chain, who owns multiple hospitals in Pennsylvania, experienced a criminal cyber attack in April and June 2014 supposedly caused by a hacker group in China.  The information sought was intellectual property information such as medical device and equipment development data; it did not include patient medical information, payment information or patient clinical information. Instead, the stolen information included protected health information (“PHI”) under the Health Insurance Portability and Protection Act of 1996 (“HIPAA”) such as patient names, addresses, birth dates, telephone numbers and social security numbers.  Because the hacked information was PHI and involved so many patients, CHS was under a HIPAA obligation to report the breach to the Office of Civil Rights (“OCR”), within 60 days of its knowledge of the breach. From reading between the lines, it appears that CHS did multiple things right in responding to this data breach, and other hospitals can learn some valuable lessons from CHS’ misfortune.

  1. Have in a place a robust security system which meets all of the OCR’s Security requirements to timely detect the breach.  Appropriate system safeguards which comport with regulatory requirements helps to both mitigate the extent of the breach and minimizes exposure to fines and penalties potentially caused by the breach. 
  2. Obtain outside expertise to assist with auditing the breach trail and cause. If the breach appears to involve criminal activity, notify the appropriate investigative authorities to avail yourself of their resources and to distance the organization from the illegal activity. 
  3. Report the breach as soon as possible to the OCR (even before the 60 day notice period) unless advised by investigative authorities to delay the notice. Hospital’s don’t need all the facts and a fully completed investigation before notifying the OCR. You may get obtain political “good will” from the OCR for early notification. 
  4. Protect your hospital’s bottom line with appropriate cyber breach insurance coverage.  Multiple coverage forms are now commercially available. Once caveat here. Ensure that your coverage permits you to retain your own counsel and to call the shots in responding to the breach. While the insurer’s advice is valuable, you don’t want your hands tied in responding to patients, who after all, are ultimately the focus of your breach minimization efforts. 
  5. Provide correct information to patients in accordance with HIPAA’s requirements and help to ease affected patient’s anxiety about their financial exposure by providing identity theft protection free of charge for a minimum of one year. 
  6. Prepare for a  breach response before it happens: